Icefog: A long-running cyber-espionage campaign

September 30, 2013

When a new high-profile attack is revealed–whether it’s a technology company, a government agency or a financial institution that’s targeted–the attention often focuses on the victim and what the attackers may have stolen. But, as a new report by Kaspersky Lab researchers on a long-running cyber-espionage operation shows, the attacks we find out about may just be part of a much larger chain of intrusions.

The attackers in the newly discovered campaign, known as Icefog, have been targeting organizations in a wide variety of industries in several countries, mainly in Japan and Korea. The victims have included companies from the US defense contractors’ supply chain  (like Lig Nex1 that manufactures displays for U.S. fighter planes F15), shipbuilding companies, telecoms and media companies.

The targeting methodology and modus operandi of the attackers suggest that they are working on hire, moving from target to target in order to get what they need for their customers and get out. They appear to know very well what they need from the victims. Basically, this kind of attackers come, steal what they want and leave. While in other cases, victims remain infected for months or even years, and data is continuously exfiltrated, the Icefog attackers appear to know very well what they need from the victims. Once the information is obtained, the victim is abandoned. The shortest amount of time the Icefog attackers spent in the victim’s computer – few hours. Before leaving the network, they clean up the system, not to leave traces.

The implications for businesses are troubling. Many companies rely on suppliers scattered around the world and have little or no visibility into their networks, operations or downstream supply chains. Trying to determine whether a given supplier or partner has been compromised or is a target for such an espionage campaign can be nearly impossible, leading to uncertainty. And researchers say that the attackers involved in operations such as Icefog don’t discriminate by size, location or industry. If you have what they want, they’ll find a way in, whether it’s through your network or one of your partners. Moreover, going after supply chain seems logical, as in some cases, it’s much easier for attackers to compromise contractor, than the main company directly.

Kurt Baumgartner, a security researcher at Kaspersky Lab who was involved in the research on Icefog, said that the attackers often jump from one organization to another with seemingly no discernible pattern. This “puddle jumping” methodology can make a well-planned attack campaign look like a random series of unconnected intrusions.

“It’s becoming harder to identify the patterns and connect them with one group,” he said.

Another trend is the emergence of “cyber-mercenaries” – organized groups of people conducting cyber-espionage/cyber-sabotage activities on demand, after order of anyone who pays money. This is something new in the area of targeted attacks. And we expect this trend to grow in future, and more small groups of cyber-mercenaries will be available for hire to perform surgical hit and run operations

For enterprises, which are always looking to reduce risk and avoid compromises, the need to be vigilant does not stop at their network perimeter. It now extends through supply chains, partners and everyone they do business with. Risk and attackers are everywhere.